From 30788066d6bccd86bb3fb31a0a69f6c868b56682 Mon Sep 17 00:00:00 2001 From: "zhiguo.zhang" Date: Wed, 5 Jun 2019 00:07:09 +0800 Subject: [PATCH] Upgrade std kernel patch to CentOS7.6 3.10.0-957.12.2 New set of CVEs was reported against Intel CPUs: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091. For these CVEs there are RH and CentOS updates available. CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/ corporate-information/SA00233-microcode-update-guidance_05132019.pdf CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/ corporate-information/SA00233-microcode-update-guidance_05132019.pdf CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/ corporate-information/SA00233-microcode-update-guidance_05132019.pdf CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory(MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/ corporate-information/SA00233-microcode-update-guidance_05132019.pdf These are from the http://cve.mitre.org website. These are the MDS security CVEs. The patch is modified as follows: 1.Delete the 929-931 line of the arch/x86/kernel/cpu/cacheinfo.c file, because starlingx's Porting-Cacheinfo-from-Kernel-4.10.17.patch removes the ici_cpuid4_info structure. 2.The build-logic-and-sources-for-TiC.patch version number has been modified. 3.In addition to the modifications in the files in 1 and 2, other patches only modify the line number. Closes-Bug: 1830487 Depends-On: https://review.opendev.org/663071 Change-Id: I4cad783311ed4a6c60b4f69bdad75d773d0cd23d Signed-off-by: zhiguo.zhang --- .../Build-logic-and-sources-for-TiC.patch | 8 +-- ...tion-of-death-of-arbitrary-processes.patch | 2 +- ...orting-Cacheinfo-from-Kernel-4.10.17.patch | 71 ++++++++++--------- ...01216-IMA-support-in-Titanium-kernel.patch | 8 +-- .../affine-compute-kernel-threads.patch | 2 +- .../patches/fix-compilation-issues.patch | 2 +- ...w-ignoring-Ethernet-device-RMRR-with.patch | 2 +- kernel/kernel-std/centos/srpm_path | 2 +- 8 files changed, 50 insertions(+), 47 deletions(-) diff --git a/kernel/kernel-std/centos/meta_patches/Build-logic-and-sources-for-TiC.patch b/kernel/kernel-std/centos/meta_patches/Build-logic-and-sources-for-TiC.patch index 8cdd2b3d9..a17ef217e 100644 --- a/kernel/kernel-std/centos/meta_patches/Build-logic-and-sources-for-TiC.patch +++ b/kernel/kernel-std/centos/meta_patches/Build-logic-and-sources-for-TiC.patch @@ -26,13 +26,13 @@ index 1c3a765..f2499b4 100644 %global distro_build 957 %define rpmversion 3.10.0 --%define pkgrelease 957.1.3.el7 -+%define _pkgrelease 957.1.3 +-%define pkgrelease 957.12.2.el7 ++%define _pkgrelease 957.12.2 +%define pkgrelease %{_pkgrelease}.el7 + # allow pkg_release to have configurable %%{?dist} tag - %define specrelease 957.1.3%{?dist} + %define specrelease 957.12.2%{?dist} -%define pkg_release %{specrelease}%{?buildid} +%define pkg_release %{specrelease}%{buildid} @@ -224,7 +224,7 @@ index 1c3a765..f2499b4 100644 +%endif + %changelog - * Mon Nov 26 2018 CentOS Sources - 3.10.0-957.1.3.el7 + * Tue May 14 2019 CentOS Sources - 3.10.0-957.12.2.el7 - Apply debranding changes -- 2.7.4 diff --git a/kernel/kernel-std/centos/patches/Notification-of-death-of-arbitrary-processes.patch b/kernel/kernel-std/centos/patches/Notification-of-death-of-arbitrary-processes.patch index d215c7cd2..59e9e69f3 100644 --- a/kernel/kernel-std/centos/patches/Notification-of-death-of-arbitrary-processes.patch +++ b/kernel/kernel-std/centos/patches/Notification-of-death-of-arbitrary-processes.patch @@ -65,7 +65,7 @@ diff --git a/include/linux/sched.h b/include/linux/sched.h index d184652..ba6ae5c 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h -@@ -1649,6 +1649,12 @@ struct task_struct { +@@ -1653,6 +1653,12 @@ struct task_struct { short il_next; short pref_node_fork; #endif diff --git a/kernel/kernel-std/centos/patches/Porting-Cacheinfo-from-Kernel-4.10.17.patch b/kernel/kernel-std/centos/patches/Porting-Cacheinfo-from-Kernel-4.10.17.patch index 76fa2bdcf..5bdcccb52 100644 --- a/kernel/kernel-std/centos/patches/Porting-Cacheinfo-from-Kernel-4.10.17.patch +++ b/kernel/kernel-std/centos/patches/Porting-Cacheinfo-from-Kernel-4.10.17.patch @@ -47,13 +47,13 @@ This helps in: Signed-off-by: Jim Somerville --- Documentation/ABI/testing/sysfs-devices-system-cpu | 65 ++ - arch/x86/kernel/cpu/cacheinfo.c | 830 +++++++-------------- + arch/x86/kernel/cpu/cacheinfo.c | 833 +++++++-------------- drivers/base/Makefile | 2 +- drivers/base/cacheinfo.c | 662 ++++++++++++++++ drivers/base/cpu.c | 54 ++ include/linux/cacheinfo.h | 104 +++ include/linux/cpu.h | 3 + - 7 files changed, 1147 insertions(+), 573 deletions(-) + 7 files changed, 1147 insertions(+), 576 deletions(-) create mode 100644 drivers/base/cacheinfo.c create mode 100644 include/linux/cacheinfo.h @@ -461,7 +461,7 @@ index d529019..bf23bd2 100644 + + if (nb && nb->l3_cache.indices) + init_amd_l3_attrs(); -+ + + return &cache_private_group; +} + @@ -472,7 +472,7 @@ index d529019..bf23bd2 100644 + /* only for L3, and not in virtualized environments */ + if (index < 3) + return; - ++ + node = amd_get_nb_id(smp_processor_id()); + this_leaf->nb = node_to_amd_nb(node); + if (this_leaf->nb && !this_leaf->nb->l3_cache.indices) @@ -798,11 +798,11 @@ index d529019..bf23bd2 100644 +static int __init_cache_level(unsigned int cpu) { - int i; -- -- for (i = 0; i < num_cache_leaves; i++) -- cache_remove_shared_cpu_map(cpu, i); + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); +- for (i = 0; i < num_cache_leaves; i++) +- cache_remove_shared_cpu_map(cpu, i); +- - kfree(per_cpu(ici_cpuid4_info, cpu)); - per_cpu(ici_cpuid4_info, cpu) = NULL; + if (!num_cache_leaves) @@ -815,17 +815,20 @@ index d529019..bf23bd2 100644 } /* -@@ -925,411 +985,37 @@ static void get_cache_id(int cpu, struct _cpuid4_info_regs *id4_regs) +@@ -925,414 +985,37 @@ static void get_cache_id(int cpu, struct _cpuid4_info_regs *id4_regs) int get_cpu_cache_id(int cpu, int level) { int i; + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); -- for (i = 0; i < num_cache_leaves; i++) { -- struct _cpuid4_info *this_leaf = CPUID4_INFO_IDX(cpu, i); +- if (!per_cpu(ici_cpuid4_info, cpu)) +- return -1; + for (i = 0; i < this_cpu_ci->num_leaves; i++) { + struct cacheinfo *this_leaf = this_cpu_ci->info_list + i; +- for (i = 0; i < num_cache_leaves; i++) { +- struct _cpuid4_info *this_leaf = CPUID4_INFO_IDX(cpu, i); +- - if (this_leaf->base.eax.split.level == level) - return this_leaf->base.id; + if (this_leaf->level == level) @@ -836,13 +839,18 @@ index d529019..bf23bd2 100644 } -static void get_cpu_leaves(void *_retval) --{ ++static int __populate_cache_leaves(unsigned int cpu) + { - int j, *retval = _retval, cpu = smp_processor_id(); - - /* Do cpuid and store the results */ - for (j = 0; j < num_cache_leaves; j++) { - struct _cpuid4_info *this_leaf = CPUID4_INFO_IDX(cpu, j); -- ++ unsigned int idx, ret; ++ struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); ++ struct cacheinfo *this_leaf = this_cpu_ci->info_list; ++ struct _cpuid4_info_regs id4_regs = {}; + - *retval = cpuid4_cache_lookup_regs(j, &this_leaf->base); - if (unlikely(*retval < 0)) { - int i; @@ -853,13 +861,21 @@ index d529019..bf23bd2 100644 - } - cache_shared_cpu_map_setup(cpu, j); - get_cache_id(cpu, &this_leaf->base); -- } ++ for (idx = 0; idx < this_cpu_ci->num_leaves; idx++) { ++ ret = cpuid4_cache_lookup_regs(idx, &id4_regs); ++ if (ret) ++ return ret; ++ get_cache_id(cpu, &id4_regs); ++ ci_leaf_init(this_leaf++, &id4_regs); ++ __cache_cpumap_setup(cpu, idx, &id4_regs); + } -} - -static int detect_cache_attributes(unsigned int cpu) -{ - int retval; -- ++ this_cpu_ci->cpu_map_populated = true; + - if (num_cache_leaves == 0) - return -ENOENT; - @@ -1116,8 +1132,7 @@ index d529019..bf23bd2 100644 - -/* Add/Remove cache interface for CPU device */ -static int cache_add_dev(struct device *dev) -+static int __populate_cache_leaves(unsigned int cpu) - { +-{ - unsigned int cpu = dev->id; - unsigned long i, j; - struct _index_kobject *this_object; @@ -1140,11 +1155,7 @@ index d529019..bf23bd2 100644 - this_object = INDEX_KOBJECT_PTR(cpu, i); - this_object->cpu = cpu; - this_object->index = i; -+ unsigned int idx, ret; -+ struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); -+ struct cacheinfo *this_leaf = this_cpu_ci->info_list; -+ struct _cpuid4_info_regs id4_regs = {}; - +- - this_leaf = CPUID4_INFO_IDX(cpu, i); - - ktype_cache.default_attrs = default_attrs; @@ -1164,17 +1175,9 @@ index d529019..bf23bd2 100644 - return retval; - } - kobject_uevent(&(this_object->kobj), KOBJ_ADD); -+ for (idx = 0; idx < this_cpu_ci->num_leaves; idx++) { -+ ret = cpuid4_cache_lookup_regs(idx, &id4_regs); -+ if (ret) -+ return ret; -+ get_cache_id(cpu, &id4_regs); -+ ci_leaf_init(this_leaf++, &id4_regs); -+ __cache_cpumap_setup(cpu, idx, &id4_regs); - } +- } - cpumask_set_cpu(cpu, to_cpumask(cache_dev_map)); -+ this_cpu_ci->cpu_map_populated = true; - +- - kobject_uevent(per_cpu(ici_cache_kobject, cpu), KOBJ_ADD); return 0; } @@ -2107,9 +2110,9 @@ diff --git a/include/linux/cpu.h b/include/linux/cpu.h index 82180fe..434d92c 100644 --- a/include/linux/cpu.h +++ b/include/linux/cpu.h -@@ -49,6 +49,9 @@ extern ssize_t cpu_show_spec_store_bypass(struct device *dev, - extern ssize_t cpu_show_l1tf(struct device *dev, - struct device_attribute *attr, char *buf); +@@ -51,6 +51,9 @@ extern ssize_t cpu_show_l1tf(struct device *dev, + extern ssize_t cpu_show_mds(struct device *dev, + struct device_attribute *attr, char *buf); +extern struct device *cpu_device_create(struct device *parent, void *drvdata, + const struct attribute_group **groups, diff --git a/kernel/kernel-std/centos/patches/US101216-IMA-support-in-Titanium-kernel.patch b/kernel/kernel-std/centos/patches/US101216-IMA-support-in-Titanium-kernel.patch index ba81a997b..f91c8066b 100644 --- a/kernel/kernel-std/centos/patches/US101216-IMA-support-in-Titanium-kernel.patch +++ b/kernel/kernel-std/centos/patches/US101216-IMA-support-in-Titanium-kernel.patch @@ -229,7 +229,7 @@ diff --git a/security/security.c b/security/security.c index f069482..646a0e3 100644 --- a/security/security.c +++ b/security/security.c -@@ -157,6 +157,110 @@ EXPORT_SYMBOL(unregister_lsm_notifier); +@@ -161,6 +161,110 @@ EXPORT_SYMBOL(unregister_lsm_notifier); /* Security operations */ @@ -340,7 +340,7 @@ index f069482..646a0e3 100644 int security_ptrace_access_check(struct task_struct *child, unsigned int mode) { #ifdef CONFIG_SECURITY_YAMA_STACKED -@@ -716,8 +820,11 @@ EXPORT_SYMBOL(security_inode_listsecurity); +@@ -720,8 +824,11 @@ EXPORT_SYMBOL(security_inode_listsecurity); void security_inode_getsecid(struct inode *inode, u32 *secid) { @@ -353,7 +353,7 @@ index f069482..646a0e3 100644 int security_inode_copy_up(struct dentry *src, struct cred **new) { -@@ -1526,6 +1633,7 @@ int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) +@@ -1530,6 +1637,7 @@ int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) { return security_ops->audit_rule_init(field, op, rulestr, lsmrule); } @@ -361,7 +361,7 @@ index f069482..646a0e3 100644 int security_audit_rule_known(struct audit_krule *krule) { -@@ -1542,6 +1650,7 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, +@@ -1546,6 +1654,7 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, { return security_ops->audit_rule_match(secid, field, op, lsmrule, actx); } diff --git a/kernel/kernel-std/centos/patches/affine-compute-kernel-threads.patch b/kernel/kernel-std/centos/patches/affine-compute-kernel-threads.patch index 5b0a632bb..597655266 100644 --- a/kernel/kernel-std/centos/patches/affine-compute-kernel-threads.patch +++ b/kernel/kernel-std/centos/patches/affine-compute-kernel-threads.patch @@ -107,7 +107,7 @@ diff --git a/kernel/cpu.c b/kernel/cpu.c index 0d9e250..6c156bd 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c -@@ -991,6 +991,19 @@ static DECLARE_BITMAP(cpu_active_bits, CONFIG_NR_CPUS) __read_mostly; +@@ -1012,6 +1012,19 @@ static DECLARE_BITMAP(cpu_active_bits, CONFIG_NR_CPUS) __read_mostly; const struct cpumask *const cpu_active_mask = to_cpumask(cpu_active_bits); EXPORT_SYMBOL(cpu_active_mask); diff --git a/kernel/kernel-std/centos/patches/fix-compilation-issues.patch b/kernel/kernel-std/centos/patches/fix-compilation-issues.patch index ce0e5ea7f..ba3351a57 100644 --- a/kernel/kernel-std/centos/patches/fix-compilation-issues.patch +++ b/kernel/kernel-std/centos/patches/fix-compilation-issues.patch @@ -82,7 +82,7 @@ diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h index 26ec982..45af11b 100644 --- a/include/linux/huge_mm.h +++ b/include/linux/huge_mm.h -@@ -362,7 +362,7 @@ static inline int pud_trans_huge_lock(pud_t *pud, struct vm_area_struct *vma, +@@ -365,7 +365,7 @@ static inline int pud_trans_huge_lock(pud_t *pud, struct vm_area_struct *vma, return 0; } diff --git a/kernel/kernel-std/centos/patches/intel-iommu-allow-ignoring-Ethernet-device-RMRR-with.patch b/kernel/kernel-std/centos/patches/intel-iommu-allow-ignoring-Ethernet-device-RMRR-with.patch index a4c7546bb..f05e5bc8e 100644 --- a/kernel/kernel-std/centos/patches/intel-iommu-allow-ignoring-Ethernet-device-RMRR-with.patch +++ b/kernel/kernel-std/centos/patches/intel-iommu-allow-ignoring-Ethernet-device-RMRR-with.patch @@ -99,7 +99,7 @@ index 260597e..6c16b68 100644 } else if (!strncmp(str, "strict", 6)) { pr_info("Disable batched IOTLB flush\n"); intel_iommu_strict = 1; -@@ -2779,6 +2789,15 @@ static bool device_is_rmrr_locked(struct device *dev) +@@ -2820,6 +2830,15 @@ static bool device_is_rmrr_locked(struct device *dev) if (IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev)) return false; diff --git a/kernel/kernel-std/centos/srpm_path b/kernel/kernel-std/centos/srpm_path index 23abb4311..8cef82565 100644 --- a/kernel/kernel-std/centos/srpm_path +++ b/kernel/kernel-std/centos/srpm_path @@ -1,2 +1,2 @@ -mirror:Source/kernel-3.10.0-957.1.3.el7.src.rpm +mirror:Source/kernel-3.10.0-957.12.2.el7.src.rpm